azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-05-29 16:34:25

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-05-29 16:34:25
This commit is contained in:
Mike Swanson
2026-05-29 16:34:29 -07:00
parent 9e08eb5964
commit f576f7d686
3 changed files with 218 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
clients/barbaragrygutis/session-logs/2026-05-29-session.md Normal file
View File

@@ -0,0 +1,126 @@
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Mike requested an account status check for barbara@barbaragrygutis.com, initially assuming the account lived on Neptune Exchange / ACG-DC16. RMM agents on both servers were queried via GuruRMM (both online, site: DF Server Storage). Neither returned any AD user or Exchange mailbox — the account did not exist on ACG infrastructure. A disconnected mailbox search on Neptune also returned nothing.
MX record lookup revealed the domain points to Microsoft 365 (barbaragrygutis-com.mail.protection.outlook.com), not Neptune. The tenant had not yet been onboarded to the ComputerGuru MSP app suite. Mike directed generating a Tenant Admin consent URL, which was sent to Barbara's Global Admin. After she consented, `onboard-tenant.sh` was run twice — the first pass created all SPs and assigned all directory roles but hit Graph replication lag on some appRoleAssignments; the second pass cleaned up all remaining permission gaps cleanly. All 5 apps are now fully onboarded (Defender skipped — no MDE license).
With the tenant onboarded, the Security Investigator app was used to pull Barbara's account status and sign-in logs. The account is enabled, cloud-only, with a password unchanged since December 2021. Sign-in logs revealed an active credential spray attack: 100+ blocked attempts over May 27-29 from Tor exit nodes, Linode VPS infrastructure, Hurricane Electric tunnels, and European proxy nodes — all blocked by Microsoft malicious IP detection (error 50053). Zero successful sign-ins were found in the 30-day log window. No mail forwarding and no inbox rules were identified. Critically, the tenant has no Conditional Access policies at all.
MFA detail check showed one registered device: Microsoft Authenticator on an iPhone 13 Pro Max (app version 6.8.1, SoftwareTokenActivated). No backup phone number registered. The `createdDateTime` field on the Authenticator registration was null, so the registration date cannot be confirmed. Mike elected not to take remediation action at this time.
A wiki article was created at `wiki/clients/barbaragrygutis.md` and a Syncro ticket (#32349) was opened under Barbara Grygutis Sculpture LLC (customer ID 133348) documenting the findings and pending remediation steps.
---
## Key Decisions
- Used RMM agents on ACG-DC16 and NEPTUNE (both enrolled in GuruRMM, site: DF Server Storage) rather than WinRM after WinRM timed out on both external and internal IPs for Neptune.
- Onboarded the tenant before querying account status — the Security Investigator app required consent to pull sign-in logs and auth methods.
- Re-ran `onboard-tenant.sh` a second time to backfill 4 appRoleAssignments that failed on first pass due to Graph SP replication delay (5-second sleep insufficient for a fresh tenant).
- No remediation taken (password reset, session revocation, CA policies) per Mike's direction — ticket opened for follow-up instead.
- Tenant added to `tenant-consent.html` consent dashboard and immediately marked done after successful onboarding.
- Session log placed under `clients/barbaragrygutis/` (new client directory) to match wiki slug structure.
---
## Problems Encountered
- **WinRM timeout on Neptune:** Both external (67.206.163.124) and internal (172.16.3.11) IPs timed out on port 5985. Resolved by switching to GuruRMM RMM agents on both machines.
- **`pywinrm` not installed:** Module not found on system Python and discord-bot venv. Installed via `py -m pip install pywinrm` — moot once RMM approach was used.
- **Graph replication lag on first onboard-tenant.sh run:** 4 appRoleAssignment grants failed with "Resource does not exist" immediately after SP creation. Resolved by re-running the script after a short interval; all grants succeeded on the second pass (idempotent).
- **Empty jq output on initial sign-in queries:** Filter queries using `$filter=userId eq '...'` returned empty output due to shell variable interpolation issue in the heredoc. Resolved by switching to URL-encoded query strings in the curl URL directly.
- **Sign-in log query initially returned no results:** First attempts at querying `auditLogs/signIns` returned empty — turned out to be a `jq` parse failure (control characters in response). Resolved by switching to `curl -w "\nHTTP:%{http_code}"` and processing raw JSON directly.
---
## Configuration Changes
- **Created:** `wiki/clients/barbaragrygutis.md` — new client wiki article
- **Modified:** `.claude/skills/remediation-tool/references/tenant-consent.html` — added Barbara Grygutis entry, status set to `done`
- **Created:** `clients/barbaragrygutis/session-logs/2026-05-29-session.md` — this file
---
## Credentials & Secrets
No new credentials created. Vault paths accessed:
- `infrastructure/gururmm-server.sops.yaml` — GuruRMM API credentials (for RMM agent dispatch)
- `clients/dataforth/neptune-exchange.sops.yaml` — Neptune Exchange credentials (attempted WinRM, unused)
MSP app credentials used (read from vault at token acquisition time):
- `msp-tools/computerguru-security-investigator.sops.yaml`
- `msp-tools/computerguru-tenant-admin.sops.yaml`
---
## Infrastructure & Servers
| Host | Role | Notes |
|---|---|---|
| NEPTUNE | Exchange Server 2016 | ACG-hosted, site: DF Server Storage. GuruRMM agent enrolled. WinRM not accessible externally or on 172.16.3.11 |
| ACG-DC16 | Windows DC | ACG domain controller, site: DF Server Storage. GuruRMM agent enrolled. No AD account found for barbara@ |
| barbaragrygutis.com M365 | Tenant | Tenant ID: `25998ddc-49e6-4234-9396-6c152ce4ea69`. MX: barbaragrygutis-com.mail.protection.outlook.com |
---
## Commands & Outputs
```bash
# MX check
nslookup -type=MX barbaragrygutis.com 8.8.8.8
# Result: barbaragrygutis-com.mail.protection.outlook.com (M365)
# Tenant ID resolution
bash .claude/skills/remediation-tool/scripts/resolve-tenant.sh barbaragrygutis.com
# Result: 25998ddc-49e6-4234-9396-6c152ce4ea69
# Onboarding (run twice — second pass clean)
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh barbaragrygutis.com
# Result: [SUCCESS] Onboarding complete
# RMM commands dispatched:
# - ACG-DC16: Get-ADUser search by mail + UPN → no user found
# - NEPTUNE: Get-Mailbox + Get-Recipient wildcard search → no mailbox found
# - NEPTUNE: Get-MailboxStatistics disconnected mailboxes → zero disconnected mailboxes
```
**Sign-in attack summary (from Graph API):**
- 100 attempts in 30-day window, earliest 2026-05-27T15:15:28Z, latest 2026-05-29T17:41:50Z
- All errorCode 50053 (blocked: malicious IP)
- 100 unique IPs across Tor, Linode, Hurricane Electric, Limestone Networks, European proxy ranges
- Apps: Microsoft Azure CLI, Microsoft Online Services, OfficeHome, One Outlook Web
---
## Pending / Incomplete Tasks
- [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator registered on account
- [ ] Force password reset (password is 4.5 years old and account is under active attack)
- [ ] Deploy CA policy: Require MFA for all users
- [ ] Deploy CA policy: Block legacy authentication
- [ ] Consider geo-restriction CA policy (all legitimate use expected to be US)
- [ ] Investigate auto-reply status — currently active/scheduled, may confirm account liveness to attackers
- [ ] Investigate Syncro duplicate: customer ID 641406 (grygutisstudios@dokotacom.net) — possible secondary contact or stale record
---
## Reference Information
- **Syncro ticket:** #32349 — https://computerguru.syncromsp.com/tickets/111566564
- **Syncro customer:** Barbara Grygutis Sculpture LLC — ID 133348
- **M365 tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69
- **Barbara's user object ID (Entra):** 11b4966e-1e5d-47f4-ad27-57d4713fab61
- **MFA device:** Authenticator ID 8f0e1723-18f6-40d4-8cc1-c4795840bba9 (iPhone 13 Pro Max)
- **Consent dashboard:** `.claude/skills/remediation-tool/references/tenant-consent.html`
- **Wiki article:** `wiki/clients/barbaragrygutis.md`
- **GuruRMM commands dispatched:**
- ACG-DC16 cmd: f1ebd858-1186-4317-ac78-62696067047b
- NEPTUNE mailbox cmd: a60781c7-cdc2-42a9-9c4b-370f9cc9f015
- NEPTUNE disconnected cmd: 3d997d11-a288-413a-ac14-c89091de2b4a